[jira] [Updated] (SLING-5638) Sling:alias property not working if user does not have read access to the root node

Fri, 15 Apr 2016 02:06:12 -0700 

     [ 
https://issues.apache.org/jira/browse/SLING-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-5638:
---------------------------------
    Attachment: SLING-5638-patch.txt

attaching proposed path. [~cziegele] WDYT?

Note, the patch resolve this issue. That is, assuming there is:

* deny jcr:all in '/' for everyone
* allow jcr:read in '/content' for testuser
* any alias  (e.g. mypagealias) exists under the children of '/content'  (e.g. 
'/content/<path_of_page>/my_page)
* Test user can access 
http://localhost:4502/content/<path_of_page>/mypagealias.html 

One limitation will still exist, and I doubt we can ever fix it. 
The not solved case is this:

* deny jcr:all in '/' for everyone
* allow jcr:read in '/content' for testuser

If the alias (e.g. mypagealias) is directly in /content  testuser can't still 
access http://localhost:4502/mypagealias . 
I propose to document this as a limitation unless someone has an idea on how to 
solve this...


> Sling:alias property not working if user does not have read access to the 
> root node
> -----------------------------------------------------------------------------------
>
>                 Key: SLING-5638
>                 URL: https://issues.apache.org/jira/browse/SLING-5638
>             Project: Sling
>          Issue Type: Bug
>          Components: ResourceResolver
>            Reporter: Antonio Sanso
>            Assignee: Antonio Sanso
>         Attachments: SLING-5638-patch.txt
>
>
> issue ;- Sling:alias property not working if user is having read only access 
> to /content folder.
> Steps :-
> 1) Login using admin/admin.
> 2) Create page say mypage.html and provide sling:alias property say 
> mypagealias.
> 3) Create test user and provide read only access on /content folder from 
> useradmin console.
> 4) log out from admin user.
> 5) Hit the page http://localhost:4502/content/<path_of_page>/mypage.html it 
> will ask for the login ( login as test user ) it opens the page
> 6) hit the alias page 
> http://localhost:4502/content/<path_of_page>/mypagealias.html - it wont work.
> sling:alias property get stored at jcr:content node for the page in /content, 
> so user with read access on /content should access it. please correct me in 
> case I am missing something.
> to make it work user has to give root( read only ) access to test user only 
> then test user can access alias page. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to